Hospital Crippled by Days-Long Cyberattack
Lurie Children’s Hospital, Chicago’s largest pediatric provider, experienced a cyberattack that crippled its email systems and most of its phone service for nearly two weeks. The hospital’s Epic MyChart system remained offline after most services were restored, requiring patients, families, and community providers to instead use a call center the hospital launched after the attack.
The Rhysida ransomware group reportedly claimed responsibility for the cyberattack and listed the hospital’s data for sale on a dark web site for $3.4 million, but the hospital did not confirm those reports.1
The Chicago incident highlights the need for healthcare organizations to take steps that can mitigate risk up front before something goes wrong, says Donald DePass, JD, an attorney with Hogan Lovells in Washington, DC. Organizations can enforce data minimization and retention practices that limit the information they maintain that could be exposed in an incident, he says. That includes limiting the amount of personal information collected to what is necessary for them to provide their products and services to their customers and their patients.
“The idea is restricting the footprint and limiting the number of places that the data resides and potentially could be subject to unauthorized access or use,” DePass says. “Another step organizations can take to mitigate risk up front is just educating their workforces on the protections that they have in place to safeguard data [and] training on privacy and security policies.”
It also is important to promptly apply software updates and patches, use tools like multifactor authentication and encryption, regularly back up important data, and regularly evaluate the effectiveness of security controls to identify potential risks and vulnerabilities, DePass says.
“Organizations would be wise to make sure that their vendors are taking similar actions. Often, when a healthcare organization experiences an incident that impacts its data, the incident actually originates from a vendor or service provider that they’ve entrusted with their sensitive data,” he says. “It would be prudent to confirm that those vendors are also taking appropriate actions to protect the data.”
REFERENCE
- Gallardo M. Lurie Children’s Hospital restores key systems more than month after cyberattack. ABC7 Chicago. March 5, 2024. https://abc7chicago.com/lurie-...
SOURCE
- Donald DePass, JD, Hogan Lovells, Washington, DC. Phone: (202) 637-3286. Email: [email protected].
Lurie Children’s Hospital, Chicago’s largest pediatric provider, experienced a cyberattack that crippled its email systems and most of its phone service for nearly two weeks.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.